<!DOCTYPE html>



  


<html class="theme-next mist use-motion" lang="zh-Hans">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="Hexo, NexT" />










<meta name="description" content="这里主要是介绍java以代码为核心的授权方法(还有基于用户的jaas授权方法不做讨论),这个还是比较重要的(其实是看很多源代码框架使用了这个方法,为了保证代码在沙盒环境中可以运行).  权限在Java平台安全体系结构中，所有访问权限都是类型化的并且有层次结构，其根是抽象类 java.security.Permission 。标准的权限类大约有如下的这些(使用类来标记权限)    　 类型 权限名">
<meta property="og:type" content="article">
<meta property="og:title" content="kyssion-blog">
<meta property="og:url" content="http://yoursite.com/2018/10/09/java-从AccessController.doPrivileged看java的授权和沙箱/index.html">
<meta property="og:site_name" content="kyssion-blog">
<meta property="og:description" content="这里主要是介绍java以代码为核心的授权方法(还有基于用户的jaas授权方法不做讨论),这个还是比较重要的(其实是看很多源代码框架使用了这个方法,为了保证代码在沙盒环境中可以运行).  权限在Java平台安全体系结构中，所有访问权限都是类型化的并且有层次结构，其根是抽象类 java.security.Permission 。标准的权限类大约有如下的这些(使用类来标记权限)    　 类型 权限名">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2018-10-09T07:22:37.337Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="kyssion-blog">
<meta name="twitter:description" content="这里主要是介绍java以代码为核心的授权方法(还有基于用户的jaas授权方法不做讨论),这个还是比较重要的(其实是看很多源代码框架使用了这个方法,为了保证代码在沙盒环境中可以运行).  权限在Java平台安全体系结构中，所有访问权限都是类型化的并且有层次结构，其根是抽象类 java.security.Permission 。标准的权限类大约有如下的这些(使用类来标记权限)    　 类型 权限名">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Mist',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://yoursite.com/2018/10/09/java-从AccessController.doPrivileged看java的授权和沙箱/"/>





  <title> | kyssion-blog</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">kyssion-blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br />
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br />
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-schedule">
          <a href="/schedule/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-calendar"></i> <br />
            
            日程表
          </a>
        </li>
      
        
        <li class="menu-item menu-item-sitemap">
          <a href="/sitemap.xml" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-sitemap"></i> <br />
            
            站点地图
          </a>
        </li>
      
        
        <li class="menu-item menu-item-commonweal">
          <a href="/404/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br />
            
            公益404
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2018/10/09/java-从AccessController.doPrivileged看java的授权和沙箱/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="kyssion">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="kyssion-blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline"></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2018-10-09T15:22:37+08:00">
                2018-10-09
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <blockquote>
<p>这里主要是介绍java以代码为核心的授权方法(还有基于用户的jaas授权方法不做讨论),这个还是比较重要的(其实是看很多源代码框架使用了这个方法,为了保证代码在沙盒环境中可以运行).</p>
</blockquote>
<h3 id="权限"><a href="#权限" class="headerlink" title="权限"></a>权限</h3><p>在Java平台安全体系结构中，所有访问权限都是类型化的并且有层次结构，其根是抽象类 java.security.Permission 。标准的权限类大约有如下的这些(使用类来标记权限)</p>
<table>
<thead>
<tr>
<th>　</th>
<th>类型</th>
<th>权限名</th>
<th>操作</th>
<th>例子</th>
</tr>
</thead>
<tbody>
<tr>
<td>文件权限</td>
<td>java.io.FilePermission</td>
<td>文件名（平台依赖）</td>
<td>读、写、删除、执行</td>
<td>允许所有问价的读写删除执行：permission java.io.FilePermission “&lt;&lt; ALL FILES&gt;&gt;”, “read,write,delete,execute”;。允许对用户主目录的读：permission java.io.FilePermission “${user.home}/-“, “read”;。</td>
</tr>
<tr>
<td>套接字权限</td>
<td>java.net.SocketPermission</td>
<td>主机名:端口</td>
<td>接收、监听、连接、解析</td>
<td>允许实现所有套接字操作：permission java.net.SocketPermission “<em>:1-“, “accept,listen,connect,resolve”;。允许建立到特定网站的连接：permission java.net.SocketPermission “</em>.abc.com:1-“, “connect,resolve”;。</td>
</tr>
<tr>
<td>属性权限</td>
<td>java.util.PropertyPermission</td>
<td>需要访问的jvm属性名</td>
<td>读、写</td>
<td>读标准Java属性：permission java.util.PropertyPermission “java.<em>“, “read”;。在sdo包中创建属性：permission java.util.PropertyPermission “sdo.</em>“, “read,write”;。</td>
</tr>
<tr>
<td>运行时权限</td>
<td>java.lang.RuntimePermission</td>
<td>多种权限名[见附录A]</td>
<td>无</td>
<td>允许代码初始化打印任务：permission java.lang.RuntimePermission “queuePrintJob”</td>
</tr>
<tr>
<td>AWT权限</td>
<td>java.awt.AWTPermission</td>
<td>6种权限名[见附录B]</td>
<td>无</td>
<td>允许代码充分使用robot类：permission java.awt.AWTPermission “createRobot”; permission java.awt.AWTPermission “readDisplayPixels”;。</td>
</tr>
<tr>
<td>网络权限</td>
<td>java.net.NetPermission</td>
<td>3种权限名[见附录C]</td>
<td>无</td>
<td>允许安装流处理器：permission java.net.NetPermission “specifyStreamHandler”;。</td>
</tr>
<tr>
<td>安全权限</td>
<td>java.security.SecurityPermission</td>
<td>多种权限名[见附录D]</td>
<td>无</td>
<td></td>
</tr>
<tr>
<td>序列化权限</td>
<td>java.io.SerializablePermission</td>
<td>2种权限名[见附录E]</td>
<td>无</td>
<td></td>
</tr>
<tr>
<td>反射权限</td>
<td>java.lang.reflect.ReflectPermission</td>
<td>suppressAccessChecks（允许利用反射检查任意类的私有变量）</td>
<td>无</td>
<td></td>
</tr>
<tr>
<td>完全权限</td>
<td>java.security.AllPermission</td>
<td>无（拥有执行任何操作的权限）</td>
<td>无</td>
</tr>
</tbody>
</table>
<blockquote>
<p>在这种模式下 jvm的权限是给代码的(可以说类反正就代码的),一个类(代码)可以有多个权限(在$JREHOME/lib/security/java.policy文件中进行配置下面说),使用PermissionCollection这样的类进行封装(jvm在运行的时候通过文件自动生成好了,然后通过反射进行校验这些东西都被隐藏起来了,研究下去意义不大,就没有接着研究)</p>
</blockquote>
<h3 id="保护域和代码源"><a href="#保护域和代码源" class="headerlink" title="保护域和代码源"></a>保护域和代码源</h3><blockquote>
<p>java2 是针对代码(对象类)添加保护区,有一个内部类ProtectionDomain,通过这个类授权访问权限,如果多个类使用同一个ProtectionDomain将会认为这个权限是相同的</p>
</blockquote>
<blockquote>
<p>显然，一定要能惟一地标识一段运行代码以保证它的访问权限没有冲突。运行代码的惟一标识属性共有两项：代码的来源（代码装载到内存所用的 URL）和代码的 signer 实体（由对应于运行代码的数字签名的一组公共密钥指定）。这两种特性的组合在 Java 2 平台安全体系结构中编写为给定运行代码的 CodeSource (在ProtectionDomain内部可以看见这个对象)。</p>
</blockquote>
<h3 id="权限生成的具体过程"><a href="#权限生成的具体过程" class="headerlink" title="权限生成的具体过程"></a>权限生成的具体过程</h3><ol>
<li>Java 运行时通过名为 java.security.Policy 的类（的具体扩展）设置 ProtectionDomain 与授予它的权限之间的映射。</li>
<li>这个类的默认扩展是 sun.security.provider.PolicyFile 。正如其名字所表明的， sun.security.provider.PolicyFile 从一个文件中获得 CodeSource （由位置 URL 和 signer 标识别名）与授予它的权限之间的映射。</li>
<li>可以通过环境变量 java.security.policy 将这个文件的位置作为输入提供给 JVM。 Policy 类提供了一个名为 getPermissions() 的方法，可以调用它以获得授予特定 CodeSource 的一组权限。</li>
</ol>
<h3 id="权限加载的过程"><a href="#权限加载的过程" class="headerlink" title="权限加载的过程"></a>权限加载的过程</h3><ol>
<li>一个类与 其 ProtectionDomain 之间的映射是在类第一次装载时设置的，并在类被垃圾收集之前不会改变。</li>
<li>一个类通常是由一个名为 SecureClassLoader 的特殊类装载的。 SecureClassLoader 首先从相应 URL 处装载字节，如果需要还会验证包围文档文件的数字签名。然后它调用上述 getPermissions() 方法获得授予类的 CodeSource 的一个填充了静态绑定权限的异类 PermissionCollection 。</li>
<li>然后 SecureClassLoader 创建新的 ProtectionDomain ，传递 CodeSource 及其相关的权限作为其构造函数的参数（当然，这假定对于给定 CodeSource 还不存在 ProtectionDomain 。如果用一个现有的 CodeSource 装载类，那么就会重复使用它已经建立的 ProtectionDomain ） 。 </li>
<li>最后，用装载的类字节向 JVM 定义一个类，并在关联的 ProtectionDomain 中维护一个引用指针。</li>
</ol>
<h3 id="执行过程"><a href="#执行过程" class="headerlink" title="执行过程"></a>执行过程</h3><p>一个名为 SecurityManager 的类负责实施系统安全策略。在默认情况下不安装安全管理器，必须通过一个在启动时传递给 JVM 的、名为 java.security.manager 的环境变量显式地指定。任何应用程序都可找到安装的 SecurityManager 并调用它相应的 check<xxx> 方法。如果所要求的权限在给定运行时上下文中是授予的，那么调用将无声地返回。如果权限没有授予，那么将抛出一个 java.security.AccessControlException 。</xxx></p>
<p>Java 2 平台安全体系结构通过引入一个名为 AccessController 的新类使这一切变得简单了，并更具有可扩展性。这个类的目的与 SecurityManager 是一样的，即它负责做出访问决定。当然， 为了向后兼容性保留了 SecurityManager 类，但是其更新的实现委派给了底层的 AccessController 。对 SecurityManager 类进行的所有 check<xxx> 方法调用都解释为相应的 Permission 对象，并将它作为输入参数传递给 AccessController 类的 checkPermission() 方法。</xxx></p>
<h3 id="权限的继承和优化问题"><a href="#权限的继承和优化问题" class="headerlink" title="权限的继承和优化问题"></a>权限的继承和优化问题</h3><blockquote>
<p>如果说类A调用了类B,B调用了类C,那么C的权限就是ABC权限的交集</p>
</blockquote>
<h3 id="最终节-gt-看java的AccessController-doPrivileged"><a href="#最终节-gt-看java的AccessController-doPrivileged" class="headerlink" title="最终节-&gt; 看java的AccessController.doPrivileged"></a>最终节-&gt; 看java的AccessController.doPrivileged</h3><ul>
<li>通过上面的引子,终于了解的这个方法是干啥的了,这个方法就是解决这样一个问题,<strong>如果A调用了B,但是A的权限太小,B的权限太大导致,A影响了B的功能,这个使用使用上面的方法,这个方法将会让jvm进行权限计算的时候将会使用B最为最顶层的权限,这个样A或者A之前的权限就对B和B之后的不起作用了</strong></li>
</ul>
<h3 id="一个简单的小例子"><a href="#一个简单的小例子" class="headerlink" title="一个简单的小例子"></a>一个简单的小例子</h3><h4 id="策略文件-JREHOME-lib-security-java-policy"><a href="#策略文件-JREHOME-lib-security-java-policy" class="headerlink" title="策略文件$JREHOME/lib/security/java.policy"></a>策略文件$JREHOME/lib/security/java.policy</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Standard extensions get all permissions by default</span></span><br><span class="line"></span><br><span class="line">grant codeBase <span class="string">"file:$&#123;&#123;java.ext.dirs&#125;&#125;/*"</span> &#123;</span><br><span class="line">        permission java.security.AllPermission;</span><br></pre></td></tr></table></figure>
<h4 id="参数文件-JREHOME-lib-security-java-security-用来指定运行安全模式下的各种参数-比如在哪里加载策略文件"><a href="#参数文件-JREHOME-lib-security-java-security-用来指定运行安全模式下的各种参数-比如在哪里加载策略文件" class="headerlink" title="参数文件$JREHOME/lib/security/java.security-用来指定运行安全模式下的各种参数(比如在哪里加载策略文件)\"></a>参数文件$JREHOME/lib/security/java.security-用来指定运行安全模式下的各种参数(比如在哪里加载策略文件)\</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"># The default is to have a single system-wide policy file,</span><br><span class="line"># and a policy file in the user's home directory.</span><br><span class="line">policy.url.1=file:$&#123;java.home&#125;/lib/security/java.policy</span><br><span class="line">policy.url.2=file:$&#123;user.home&#125;/.java.policy</span><br><span class="line"># whether or not we expand properties in the policy file</span><br><span class="line"># if this is set to false, properties ($&#123;...&#125;) will not be expanded in policy</span><br><span class="line"># files.</span><br><span class="line">policy.expandProperties=<span class="keyword">true</span></span><br><span class="line"># whether or not we allow an extra policy to be passed on the command line</span><br><span class="line"># with -Djava.security.policy=somefile. Comment out this line to disable</span><br><span class="line"># this feature.</span><br><span class="line">policy.allowSystemProperty=<span class="keyword">true</span></span><br></pre></td></tr></table></figure>
<h4 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> java.io.File;</span><br><span class="line"><span class="keyword">import</span> java.io.FileInputStream;</span><br><span class="line"><span class="keyword">import</span> java.io.FileNotFoundException;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStream;</span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">PolicyTest</span> </span>&#123;</span><br><span class="line">    <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">file</span><span class="params">()</span> </span>&#123;</span><br><span class="line">        File f = <span class="keyword">new</span> File(<span class="string">"r.txt"</span>);</span><br><span class="line">        InputStream is;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            is = <span class="keyword">new</span> FileInputStream(f);</span><br><span class="line">            <span class="keyword">byte</span>[] content = <span class="keyword">new</span> <span class="keyword">byte</span>[<span class="number">1024</span>];</span><br><span class="line">            <span class="keyword">while</span> (is.read(content) != -<span class="number">1</span>) &#123;</span><br><span class="line">                System.out.println(<span class="keyword">new</span> String(content));</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; <span class="keyword">catch</span> (FileNotFoundException e) &#123;</span><br><span class="line">            <span class="comment">// TODO Auto-generated catch block</span></span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125; <span class="keyword">catch</span> (IOException e) &#123;</span><br><span class="line">            <span class="comment">// TODO Auto-generated catch block</span></span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> </span>&#123;</span><br><span class="line">        <span class="comment">// test read file.</span></span><br><span class="line">        file();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>启动参数加入-Djava.security.manager使用安全沙箱模式运行,将会报错</p>
</blockquote>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Exception in thread <span class="string">"main"</span> java.security.AccessControlException: <span class="function">access <span class="title">denied</span><span class="params">(<span class="string">"java.io.FilePermission"</span> <span class="string">"D:githubCDLibsrcmainresourcessecurityr.txt"</span> <span class="string">"read"</span>)</span></span></span><br><span class="line"><span class="function">at java.security.AccessControlContext.<span class="title">checkPermission</span><span class="params">(Unknown Source)</span></span></span><br><span class="line"><span class="function">at java.security.AccessController.<span class="title">checkPermission</span><span class="params">(Unknown Source)</span></span></span><br><span class="line"><span class="function">at java.lang.SecurityManager.<span class="title">checkPermission</span><span class="params">(Unknown Source)</span></span></span><br><span class="line"><span class="function">at java.lang.SecurityManager.<span class="title">checkRead</span><span class="params">(Unknown Source)</span></span></span><br><span class="line"><span class="function">at java.io.FileInputStream.&lt;init&gt;<span class="params">(Unknown Source)</span></span></span><br><span class="line"><span class="function">at com.taobao.cd.security.PolicyTest.<span class="title">main</span><span class="params">(PolicyTest.java:<span class="number">15</span>)</span></span></span><br></pre></td></tr></table></figure>
<p>这样,在权限文件中添加一条这样的规则</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">grant &#123;</span><br><span class="line">    permission java.io.FilePermission <span class="string">"D:\\github\\CDLib\\src\\main\\resources\\security\\*"</span>, <span class="string">"read"</span>;</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure>
<p>然后代码就通过了</p>
<h3 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h3><blockquote>
<p>这个特性感觉使用的应该不多,框架里用的挺多,比较冷门记录一下</p>
</blockquote>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2018/10/09/spring5(三)-生命周期,容器扩展,lookup模式,事件/" rel="next" title="">
                <i class="fa fa-chevron-left"></i> 
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2018/10/09/spring5-condition注解实现bean细致控制/" rel="prev" title="">
                 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">kyssion</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">133</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                
                  <span class="site-state-item-count">3</span>
                  <span class="site-state-item-name">分类</span>
                
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">2</span>
                  <span class="site-state-item-name">标签</span>
                
              </div>
            

          </nav>

          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#权限"><span class="nav-number">1.</span> <span class="nav-text">权限</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#保护域和代码源"><span class="nav-number">2.</span> <span class="nav-text">保护域和代码源</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#权限生成的具体过程"><span class="nav-number">3.</span> <span class="nav-text">权限生成的具体过程</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#权限加载的过程"><span class="nav-number">4.</span> <span class="nav-text">权限加载的过程</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#执行过程"><span class="nav-number">5.</span> <span class="nav-text">执行过程</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#权限的继承和优化问题"><span class="nav-number">6.</span> <span class="nav-text">权限的继承和优化问题</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#最终节-gt-看java的AccessController-doPrivileged"><span class="nav-number">7.</span> <span class="nav-text">最终节-&gt; 看java的AccessController.doPrivileged</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#一个简单的小例子"><span class="nav-number">8.</span> <span class="nav-text">一个简单的小例子</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#策略文件-JREHOME-lib-security-java-policy"><span class="nav-number">8.1.</span> <span class="nav-text">策略文件$JREHOME/lib/security/java.policy</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#参数文件-JREHOME-lib-security-java-security-用来指定运行安全模式下的各种参数-比如在哪里加载策略文件"><span class="nav-number">8.2.</span> <span class="nav-text">参数文件$JREHOME/lib/security/java.security-用来指定运行安全模式下的各种参数(比如在哪里加载策略文件)\</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码"><span class="nav-number">8.3.</span> <span class="nav-text">代码</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#结语"><span class="nav-number">9.</span> <span class="nav-text">结语</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2018</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">kyssion</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Mist</a> v5.1.4</div>




        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

</body>
</html>
